a7c1f86f505e55bec1323327c159ff3ecbdc37b847f26aed4ee28b9fecba5742

General

Target

77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe
Size

332KB
MD5

77709ccfdd8b04d98eee33db53d68e51
SHA1

c72f56c1330704aae591ca7e029399a6aaf6036f
SHA256

a7c1f86f505e55bec1323327c159ff3ecbdc37b847f26aed4ee28b9fecba5742
SHA512

b1e6fd8a6a568eadbb9f53de3785f44ac0b559dfa6be6b1b3ae3b14db70f35f2c69742ae0647a3010779238ea48d1bdd78cc953deab229f760c5c27348ebc949
SSDEEP

3072:UubHlt9Q/K0+Z3DEsmaey0WmPDL4VhBjnMvHlGDu2e9cMFGYhzFfqZVuoKMuu:DH7E4eF23IvHlouxcAG42uZ3

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	2212	WerFault.exe	32

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2756	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 3000 wrote to memory of 2212	3000	77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe	32
PID 2212 wrote to memory of 1944	2212	svchost.exe	33
PID 2212 wrote to memory of 1944	2212	svchost.exe	33
PID 2212 wrote to memory of 1944	2212	svchost.exe	33
PID 2212 wrote to memory of 1944	2212	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\77709ccfdd8b04d98eee33db53d68e51_JaffaCakes118.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2756
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 164
    3⤵
    - Program crash
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2212-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3000-1-0x0000000000860000-0x00000000008BA000-memory.dmp

Filesize
360KB

Download
memory/3000-6-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-5-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-2-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-4-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3000-3-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/3000-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3000-22-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing